Bancomat & C

Tra i molti temi molto interessanti che non analizziamo c'è tutto il mondo della sicurezza dei circuiti di pagamento (ATM, bancomat e simili).

Riporto di seguito qualche fatterello recentissimo ed interessante. Soprattutto in quanto dimostrazione (spero a questo punto inutile) delle cose dette più volte a lezione:

• I problemi pratici nascono da errori di implementazione/configurazione;
• gli attacchi sono spesso limitati da ciò che l'attaccante trova conveniente fare, non tanto da ciò che può fare;
• gli attacchi man-in-the-middle sono fattibili e particolarmente pericolosi;
• al tempo X tutti dicono "questo attacco non è realistico" e poi al tempo Y>X si scopre che non è vero;
• nei rapporti con le banche il cliente è responsabile "a prescindere";
• la crittografia non garantisce un bel nulla di per sé;
• le applicazioni di smartcard e simili si basano su dispositivi fidati per definizione, ma che nella pratica possono essere controllabili da un attaccante
• ...etc
• 
  

Le solite cose.

Cambridge security boffins slam banking card readers

Vulnerabilità delle nuove tessere ATM/Bancomat con il chip (purtroppo ce l'ho anch'io).

Card readers for online banking are inherently insecure...Researchers found a number of serious security shortcomings after reverse engineering the underlying protocol (called the Chip Authentication Programme or CAP) that underpins hand-held card readers. Readers are typically used alongside customer's debit cards to generate one-time codes for online banking login and transaction authentication. The devices are designed to thwart online banking fraud, but cost-saving measures have resulted in design compromises that have left customers open to risk of fraud.

Il lab citato nel blog qui sopra si trova qui. Ha molti altri studi interessantissimi, tra i quali il seguente (attacco man-in-the-middle al circuito ATM; contiene un bel giochino challenge-response):

Chip & PIN (EMV) relay attacks

...For example, when customers pay with a Chip and PIN card, they have no choice but to trust the terminal when it displays the amount of the transaction. The terminal, however, could be replaced with a malicious one, without showing any outward traces. When the customer pays for a low-value product and enters the PIN into the terminal, the challenge from a different shop selling a far more expensive product could be relayed to the card. The PIN and response from the card could likewise be relayed back to the other shop, which will accept the transaction....

PIN Crackers Nab Holy Grail of Bank Card Security

The attacks...., are behind some of the millions of dollars in fraudulent ATM withdrawals that have occurred around the United States....

...It was believed that once a PIN was typed on a keypad and encrypted, it would traverse bank processing networks with complete safety, until it was decrypted and authenticated by a financial institution on the other side. But the new PIN-hacking techniques belie this theory, and threaten to destabilize the banking-system transaction process.

...Information about the theft of encrypted PINs first surfaced in an indictment last year against 11 alleged hackers accused of stealing some 40 million debit and credit card details

... Unlike fraudulent credit card charges, which generally carry zero liability for the consumer, fraudulent cash withdrawals that involve a customer's PIN can be more difficult to resolve since, in the absence of evidence of a breach, the burden is placed on the customer to prove that he or she didn't make the withdrawal.